Negated patterns in AllowedUsers - openssh

This is a discussion on Negated patterns in AllowedUsers - openssh ; Hi,
I am a little bit confused about patterns behavior when used in
AllowedUsers directive. I am trying to limit root logins to localhost.
First I tried
AllowedUsers root@localhost !root
which should enable root from localhost and all nonroot users ...

Negated patterns in AllowedUsers

Hi,
I am a little bit confused about patterns behavior when used in
AllowedUsers directive. I am trying to limit root logins to localhost.
First I tried
AllowedUsers root@localhost !root
which should enable root from localhost and all nonroot users from
anywhere. However the username part is matched with match_pattern
function and this function does not take ! into account (see func
match_user in match.c).
Secondly I tried
DenyUsers root@!localhost
which should deny root when logging from anywhere but localhost.
Function match_host_and_ip does call match_hostname which calls
match_pattern_list. But if match_hostname function returns -1 which
means "match found and negation was requested", match_host_and_ip return
false as there would be no match. As fact at least one _positive_ match
is required to return true: